The Green Sheet Online Edition
July 14, 2014 • Issue 14:07:01
Data breach forces P.F. Chang's back to 'knucklebusters'
In the wake of the recently uncovered data compromise at restaurant chain P.F. Chang's China Bistro Inc., the business reverted to 1970's-style manual card imprinters, also known as "knucklebusters," to process card payments. Beyond the novelty of a 21st century business resorting to 40-year-old technology that involves running bankcards through clunky machines to make impressions on carbon slips, the breach underscores once again the security weaknesses of current POS systems that may not lessen fraud – even when Europay/MasterCard/Visa (EMV) chip card technology is implemented.
In a June 12, 2014, statement, P.F. Chang's Chief Executive Officer Rick Federico stated that two days earlier the chain learned of the breach from the United States Secret Service and initiated an investigation with the help of an unnamed third-party forensics investigator. Federico said that credit and debit card data had been "stolen from some of our restaurants," indicating that the breach may have been limited in scope.
However, data security reporter Brian Krebs, who broke the story on June 10, 2014, reported that the breach began around Sept. 18, 2013, and had been operating for about nine months before its termination in June. Based on the length of the breach and the amount of sales P.F. Chang's disclosed on a 2012 quarterly financial statement, Krebs conjectured on his blog, KrebsonSecurity, that the breach impacted at least 7 million cards.
Security experts have remarked on the similarities between the 2013 Target Corp. breach and the P.F. Chang's breach. In the Target breach, malware was reportedly installed on the big-box retailer's back-end servers, allowing payment card data to be surreptitiously harvested from POS terminals and transmitted to fraudsters who then put up the card data for sale on online black market sites. Krebs noted that payment card data from the P.F. Chang's breach showed up for sale on the same black market clearing house, Rescator, that sold card data stolen in the Target breach.
At press time, P.F. Chang's was apparently still using the imprinters, seen by security experts as a logical, if short-term, solution to ensure no more card numbers are stolen. Yet the practice raises another security issue how those carbon copies of card numbers are being stored.
From EMV to e-commerce
Karisse Hendrick, Industry Specialist at the MRC, the Seattle-based payment and risk association for e-commerce merchants, pointed out that the physical POS environment remains the most vulnerable avenue for fraud. "It does seem like the largest breaches are occurring on POS intrusions," she said.
Hendrick noted that in the online realm, retailers have instituted layers of security to protect sensitive data, as prescribed by the PCI SSC's regulations. In the brick-and-mortar world, however, businesses are still playing catch up. "A lot of the POS software was written in the '80s and so getting those [systems] updated is a challenge," she said.
Despite the implementation of EMV chip card schemes to replace security-deficient mag stripe technology, fraud will not be curtailed, according to Hendrick. "Even with EMV coming out, unfortunately, the same types of malware attacks on POS systems that are occurring now can still happen post-EMV conversion," she said.
Hendrick stated that EMV will be effective in reducing the counterfeiting of cards because fraudsters will no longer be able to replicate cards by encoding blank mag stripe cards with stolen card numbers. Thus, data thieves will not be able to employ dummy cards to steal millions of dollars from ATMs and millions more from retailers in the form of goods and services illicitly purchased at physical POSs.
However, EMV will not stop fraudsters from stealing data at the physical POS, via malware for instance, and then using the stolen data online. "You're going to have millions of credit card numbers and [fraudsters will] not be able to recirculate them through the card-present environment," Hendrick said. "So our concern is that they are going to all go to e-commerce to use these fraudulent transactions."
Preparing for the worst
Despite these concerns, Hendrick said e-commerce in general "has gotten so vigilant in identifying and preventing fraud on stolen card numbers that it's much harder for [fraudsters] to turn around and use those stolen numbers in an e-commerce environment."
The MRC provides services for a membership of just under 400 e-commerce firms in North America and Europe. Hendrick said its members report 47 percent less fraud than non-MRC members. She added that fighting fraud is the one area where fiercely competitive companies can find common ground and a common purpose, and they share information because "not one of them wants fraud."
On an anonymous basis, MRC shares information with its members about businesses that have been compromised. Hendrick also said the association is keen on preparation. "I think it's really important for merchants to say, 'We can't just think it's going to happen to everyone else,'" she noted.
Among the MRC's recommendations is that companies generate form letters beforehand that they can send out to customers if and when businesses are compromised, "so you don't have to go through the whole process while everyone is in a panic," Hendrick said.
Notice to readers: These are archived articles. Contact names or information may be out of date. We regret any inconvenience.